5. Terraform x Azure 10
5
1. Terraform x Azure x ?
2. Terraform x Azure x ?state
3. Terraform x Azure x CredenDal
4. Terraform x CI/CD Tool x MSI x Azure
12. Terraform x State
Terraform “State”
“state” ”terraform.tfstate”
local “state” plans
state purpose
> Terraform must store state about your
managed infrastructure and configuration.
This state is used by Terraform to map
real world resources to your
configuration, keep track of metadata,
and to improve performance for large
infrastructures.
>
> This state is stored by default in a
local file named "terraform.tfstate", but
it can also be stored remotely, which
works better in a team environment.
>
> Terraform uses this local state to
create plans and make changes to your
infrastructure. Prior to any operation,
Terraform does a refresh to update the
state with the real infrastructure.
>
> For more information on why Terraform
requires state and why Terraform cannot
function without state, please see the
page state purpose.
Hashicorp Terraform Documentation -
13. TerraformxStatepurpose
> The primary motivation people
have for using remote state
files is in an attempt to
improve using Terraform with
teams. State files can easily
result in conflicts when two
people modify infrastructure at
the same time.
>
> _Remote state_ is _the
recommended solution_ to this
problem. At the time of writing,
remote state works well but
there are still scenarios that
can result in state conflicts.
A priority for future versions
of Terraform is to improve this.
“Remote State”
Terraform
“Remote State”
Terraform
Hashicorp Terraform Documentation -
14. Blob(Object) Storage
$ python –version && mkdir terraform-demo && cd terraform-demo && virtualenv env && source
env/bin/ac]vate && pip install azure-cli
$ az login
To sign in, use a web browser to open the page h`ps://microsob.com/devicelogin and enter the code
FYT6E7UGR to authen]cate. # -> browser login
$ az group create -n terraform-demo -l japaneast
$ az storage account create --name myterrastatestore --resource-group terraform-demo --loca]on
japaneast --sku Standard_RAGRS --encryp]on blob
$ az storage account keys list --account-name myterrastatestore --resource-group terraform-demo
$ az storage container create --name statestorecont --account-key
7p+SUZrcBuE2rUoUAT1RdvcarapOLlI1Qcl1LHAhWzYuz+Gv/w+Znwd7mcSqnITrgMN5NKc296ZfSWw1K21x
wQ== --account-name myterrastatestore
OS/Security
Terraform okay
19. RBAC RolebasedAccess Control
AzureOn-Premises
Sector 1 Sector 2 ..
Region
NA
Region
SA
Division
Mktg
..
Division
Sales ..
Project 1
Project 2
..
Subscription
per Sector
Resource Group
per Project
Tags
Region, Division, Project
“Standard” VNet
per Division
in separate resource group
Billing
Tracked per Division
Subnet
On “standard” Vnet
assigned to each Project
Users,Groupsand
PasswordSyncAcXve
Directory
ExpressRoute(s)
IT Director’ Office
Azure
Active
Directory
Infrastructure
Admins and Support
Project Team Roles
Network Admins
Owners of
SubscripXons
VNet Contributors of
“standard” VNet RGs
Virtual Machine
Contributors of
Project RGs and
“standard” VNet RGs
Appropriate Role on
Project RGs
20. AzureCLI RBAC Serviceprincipal azlogin
OAuth web applica@on
SP(azure cli control)
①Login
②Login Code
③Login Code
④Login Code+
User Creden@al
⑥Auth Token
$HOME/.azure/accessToken.json
⑦Auth Token
⑤
Azure CLI Web
Token
Expired Time
!
21. RBAC Serviceprincipal
$# default 1 --years opYon
$ az ad sp create-for-rbac
AppId DisplayName Name Password Tenant
---------------------------- ------------------------- --------------------------- ------------------------- ----------------------
15ac61e0-35a0-4969-97c9-1309420aabae azure-cli-2018-06-14-07-26-27 h]p://azure-cli-2018-06-14-07-26-
27 8d3f937e-6818-48fd-b36a-93e8fa9709f8 72f988bf-86f1-41af-91ab-2d7cd011db47
$ #subscripYon ID
$ az account list
Name CloudName SubscripYonId State IsDefault
---------------------------------- ----------- ------------------------------------ ------- -----------
Visual Studio Enterprise AzureCloud 2fasdfasd5a3-asdf65-4asdf-8bd9-d8asdfsdfdef8 Enabled
Microsoa Azure XXXX AzureCloud casdfasdf-s7fd1-46dd-87asfdsfasdff375 Enabled True
$#
$ az login --service-principal -u h]p://azure-cli-2018-06-14-07-26-27 -p "8d3f937e-6818-48fd-b36a-
93e8fa9709f8" --tenant "72f988bf-86f1-41af-91ab-2d7cd011db47"
24. Token
[ ]
Azure Azure AD
Auth Token
Token
Token Code
[ ]
Azure
MSI Managed Service Identity
25. ManagedServiceIdenVty
Tenant - Subscription
Resource Group A
Azure AcDve Directory
Resource Group B
MSI
VM
[Management VM]
$az login --idenDty
MSI endpoint
Management VM
Resource Group A
Token Get
Auth Token
$terraform init/plan
/apply/destroy VM